CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole
Issue
- Fix request of CVE-2009-0834 on 5.2.z.
-
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and
then use the "syscall" instruction to make a 64-bit system call. A 64-bit
process make a 32-bit system call with int $0x80.
-
In both these cases, audit_syscall_entry() will use the wrong system call
number table and the wrong system call argument registers. This could be used
to circumvent a syscall audit configuration that filters based on the syscall
numbers or argument details.
Environment
- Red Hat Enterprise Linux 5 Update 2
- All architectures
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
